我正在编辑旧页面,我需要对该页面进行授权访问。现在代码是在php中,基本上我设置了1个用户名和1个密码,可以绕过登录屏幕,如果授权成功,登录会将我重定向到我的“秘密”页面。
但是,如果有人知道该“秘密”页面的URL“(例如.... / secrets / secret1.php),他可以绕过登录界面。在这种情况下,最佳解决方案是什么?” p>
我尝试通过编辑.htaccess来隐藏php扩展,但它没有用。我也不想完全隐藏地址栏。
答案 0 :(得分:1)
在您的登录页面中,您可以设置当前用户的会话,以授予其访问需要授权的页面的权限。
例如,如果您有一个登录页面,如:
<?php
/*
Log-In
*/
// Declare Username and Password
$my_username = "admin";
$my_password = "rootstemleaves";
// Declare Page to Redirect
$secret_page = "../secrets/secrets1.php";
// Set Initial Value
$proceed = 0;
// Check if username is empty
if(empty($_POST['username'])){
// Tell user that username is empty
echo "You need to put a username!";
// Set to not proceed
$proceed = 0;
} else {
// Set to proceed
$proceed = 1;
}
// Check if empty password
if(empty($_POST['password'])){
// Tell user that password is empty
echo "You need to put your password";
// Set to not proceed
$proceed = 0;
} else {
// Set to proceed
$proceed = 1;
}
// Finally Proceed if Checked to be ok
if($proceed == 1){
// Check if username is not the same
if($username !== $my_username){
// Tell user that they entered the wrong username
echo "Wrong username!";
} else {
// Check if password is not the same
if($password !== $my_password){
// Tell user that they entered the wrong password
echo "Wrong Password";
} else {
// Finally redirect to page
header("Login: $secret_page");
}
}
}
?>
<!Doctype html>
<html>
<h1>Log-In</h1>
<form method='post'>
<input type='text' name='username' placeholder='Username'><br>
<input type='password' name='password' placeholder='Password'><br>
<br>
<button type='submit'>Submit</button>
</form>
</html>
您只需添加session_start();即可开始会话并将用户设置为登录,以便他们可以访问秘密页面(如果已获得授权)。
因此,您的登录页面看起来应该更像:
<?php
/*
Log-In
New!!!
*/
// It is important to tell PHP to start the session at the beginning of the file
session_start();
// Declare Username and Password
$my_username = "admin";
$my_password = "rootstemleaves";
// Declare Page to Redirect
$secret_page = "../secrets/secrets1.php";
// Check if the user is logged in already or not.
if(!empty($_SESSION['logged_in'])){
// Immediately redirect to page
header("Location: $secret_page");
}
// Set Initial Value
$proceed = 0;
// Check if username is empty
if(empty($_POST['username'])){
// Tell user that username is empty
echo "You need to put a username!";
// Set to not proceed
$proceed = 0;
} else {
// Set to proceed
$proceed = 1;
}
// Check if empty password
if(empty($_POST['password'])){
// Tell user that password is empty
echo "You need to put your password";
// Set to not proceed
$proceed = 0;
} else {
// Set to proceed
$proceed = 1;
}
// Finally Proceed if Checked to be ok
if($proceed == 1){
// Check if username is not the same
if($username !== $my_username){
// Tell user that they entered the wrong username
echo "Wrong username!";
} else {
// Check if password is not the same
if($password !== $my_password){
// Tell user that they entered the wrong password
echo "Wrong Password";
} else {
// Set the session !!!
$_SESSION['logged_in'] = True;
// Finally redirect to page
header("Login: $secret_page");
}
}
}
?>
<!Doctype html>
<html>
<h1>Log-In</h1>
<form method='post'>
<input type='text' name='username' placeholder='Username'><br>
<input type='password' name='password' placeholder='Password'><br>
<br>
<button type='submit'>Submit</button>
</form>
</html>
看看在我们要重定向用户的逻辑结尾处,我们设置了$_SESSION['logged_in'] = True;,因为我们将在稍后的页面中检查需要授权的页面。
因此,在您的秘密页面中,如果用户已登录,则需要添加到顶部:
<?php
/*
Secret Page
*/
// Start the session (Important!)
session_start();
// Your Login Page
$login_page = "login.php";
// Check if user is logged in
if($_SESSION['logged_in'] !== True){
// Redirect to Your Login Page to Prevent Unauthorized Access
header("Location: $login_page");
}
?>
此外,如果您需要注销用户,请使用以下代码创建logout.php:
<?php
/*
Log-Out
*/
// Start the Session (Important!)
session_start();
// Your Login Page
$login_page = "login.php";
// Destroy the session!
session_destory();
// Finally, redirect your user to the log-in page in case they wanted to log-in again
header("Location: $login_page");
?>
因此,在隐藏页面中,只需添加<a href="logout.php">Logout</a>即可注销。
确保将来使用数据库来存储登录凭据并对密码进行哈希和加密(永远不要以纯文本形式存储密码!)
希望有所帮助
答案 1 :(得分:0)
d。 melnik是对的,尝试在您的网页上使用php会话。例如:
if (!$_SESSION['user'])
{
//do this
}
user是数据库中值的一个示例。
始终在您的登录页面中启动会话
session_start();